CVE-2022-50213: netfilter: nf_tables: do not allow SET_ID to refer to another table
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: do not allow SET_ID to refer to another table
When doing lookups for sets on the same batch by using its ID, a set from a
different table can be used.
Then, when the table is removed, a reference to the set may be kept after
the set is freed, leading to a potential use-after-free.
When looking for sets by ID, use the table that was used for the lookup by
name, and only return sets belonging to that same table.
This fixes CVE-2022-2586, also reported as ZDI-CAN-17470.
Security readout for executives and security teams
Plain-English summary
CVE-2022-50213 is a Linux kernel netfilter/nf_tables flaw. Under specific table and set handling, the kernel could keep a reference to memory after it was freed, creating a potential use-after-free condition. The source does not provide CVSS, impact outcome, or confirmed exploitation.
Executive priority
Prioritize normal kernel patch management, escalating for critical Linux infrastructure once exposure is confirmed. The vulnerability is a kernel memory-safety issue, but the provided evidence lacks severity scoring, confirmed exploitation, and operational prerequisites.
Technical view
nf_tables could resolve a same-batch SET_ID lookup to a set in another table. If that table was removed, a reference to the freed set could remain. The upstream fix restricts ID lookups to sets belonging to the same table used for name lookup.
Likely exposure
Exposure is limited to Linux systems running affected kernel versions or builds identified by the CVE record and carrying the vulnerable nf_tables behavior. The bundle lists Linux kernel versions including 3.16, 4.19.256, 5.4.211, 5.10.137, 5.15.61, 5.18.18, 5.19.2, and 6.0 as affected.
Exploitation context
The source bundle does not cite active exploitation, public exploit use, KEV listing, required privileges, or attacker location. It states this fixes CVE-2022-2586, also reported as ZDI-CAN-17470. Treat exploitability details as incomplete unless vendor or distribution advisories add context.
Researcher notes
Focus review on nf_tables set lookup behavior across tables during batched operations. The key invariant is that SET_ID lookup must only return sets in the same table used for lookup by name. Evidence is source-level and sparse on exploitability.
Mitigation direction
Apply distribution kernel updates that include the referenced stable fixes.
Reboot systems into the fixed kernel after patching.
Prioritize internet-facing or shared Linux infrastructure after confirming affected kernels.
Check vendor guidance if no fixed package is available.
Track related advisories for CVE-2022-2586 and ZDI-CAN-17470 context.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and images.
Compare kernel builds with vendor advisories and referenced stable commits.
Confirm patched systems booted into the updated kernel.
Document systems where kernel updates are deferred.
Avoid marking active exploitation unless a cited source supports it.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50213 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
8Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jun 18, 2025, 11:03 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.